Practical Threat Detection Engineering by Megan Roddie Jason Deyalsingh Gary J. Katz

Author:Megan Roddie, Jason Deyalsingh, Gary J. Katz
Language: eng
Format: epub
Publisher: Packt Publishng Pvt Ptd
Published: 2023-06-27T00:00:00+00:00

One plainly wrong approach would be to build a detection that looks for exact matches for all the event attributes. The reason this won’t work is that we expect certain attributes to change. The event time will almost always be different, and since we want to be able to detect events on multiple systems, the system name cannot be part of the definition. Inversely, if we develop a rule that only relies on Event Type = File Execution, then we will likely capture every execution of evil.exe, but also the execution of many other files that do not have the name evil.exe.

Since attributes can change for events representing the same underlying activity, the rules we develop need to be similarly tuned to account for these changes. If rules are too tightly defined, they will likely not match every occurrence of the event; if rules are too loosely defined, they will generate false positives. A safe goal is to write a rule that minimizes false positives. Let’s take a look at how the telemetry changes when using different tools that are functionally similar to PsExec in order to identify which fields will remain consistent.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.